Wednesday, January 6, 2010

Two major vulnerabilities have recently been discovered in the PowerDNSRecursor (all versions up to and including 3.1.7.1). Over the past twoweeks, these vulnerabilities have been addressed, resulting in PowerDNSRecursor 3.1.7.2.

Given the nature and magnitude of these vulnerabilities, ALL PowerDNSRECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. Noversions of the PowerDNS Authoritative Server are affected.

PowerDNS Recursor 3.1.7.2 as been thoroughly tested, and has in fact been inproduction for a week at some major sites already. No problems have been reported. 3.1.7.2 does not include anything other than security updates.

The two major vulnerabilities can lead to a FULL SYSTEM COMPROMISE, as wellas cache poisoning, connecting your users to possibly malicious IP addresses.

These vulnerabilities were discovered by a third party that for now prefersnot to be named. PowerDNS is however very grateful for their help. Moredetails are available on:http://doc.powerdns.com/powerdns-advisory-2010-01.htmlhttp://doc.powerdns.com/powerdns-advisory-2010-02.html

Debian, FreeBSD, Gentoo and SuSE are processing the changed packages, andwill be releasing security updates shortly. Ubuntu does not provide securityupdates for PowerDNS, so Ubuntu users must take immediate action anddownload our packages.

RHEL4/5, CentOS packages are available (care of Kees Monshouwer) here:http://www.monshouwer.eu/download/3th_party/pdns-recursor/

Updated packages for .deb based systems are available here:http://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_i386.debhttp://downloads.powerdns.com/releases/deb/pdns-recursor_3.1.7.2-1_amd64.deb

Updated packages for .rpm based systems are available here:http://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.i386.rpmhttp://downloads.powerdns.com/releases/rpm/pdns-recursor-3.1.7.2-1.x86_64.rpm

Source code is available here:http://downloads.powerdns.com/releases/pdns-recursor-3.1.7.2.tar.bz2

Special 'upgrade option of last resort' (old systems)-----------------------------------------------------In addition, as a special service, we are also providing two precompiledfully static Linux binaries as an 'upgrade option of last resort':